Four patches are attached:
correct-fn-usage.diff:
- Fixes bug, use the calls the same way as OpenSSL does internally.
ecdsa-too-many-keys.diff:
- Array initializer had 6 elements, but array was of size 5.
evp-md-add-missing-field.diff:
- The EVP_MD struct for DSA and ECDSA needed the md_ctrl field filled.
remove-unused-declarations.diff:
- Some GOST definitions were unused.
- Some ECDSA definitions were unused.
--
Mak Kolybabi
<[email protected]>
() ASCII Ribbon Campaign | Against HTML e-mail
/\ www.asciiribbon.org | Against proprietary extensions
diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c
index 8a47ef7..246e958 100644
--- a/src/openssl/signatures.c
+++ b/src/openssl/signatures.c
@@ -998,13 +998,14 @@ xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED,
unsigned char *sig, unsigned int *siglen, void *ecdsa) {
int rSize, sSize, xLen;
const EC_GROUP *group;
- BIGNUM order;
+ BIGNUM *order = NULL;
ECDSA_SIG *s;
+ int ret = 0;
s = ECDSA_do_sign(dgst, dlen, ecdsa);
if(s == NULL) {
- *siglen=0;
- return(0);
+ *siglen = 0;
+ return(ret);
}
group = EC_KEY_get0_group(ecdsa);
@@ -1014,21 +1015,29 @@ xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED,
"EC_KEY_get0_group",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- ECDSA_SIG_free(s);
- return(0);
+ goto err;
}
- if(EC_GROUP_get_order(group, &order, NULL) != 1) {
+ order = BN_new();
+ if(order == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "BN_new",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto err;
+ }
+
+ if(EC_GROUP_get_order(group, order, NULL) != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"EC_GROUP_get_order",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- ECDSA_SIG_free(s);
- return(0);
+ goto err;
}
- xLen = BN_num_bytes(&order);
+ xLen = BN_num_bytes(order);
if(xLen > (XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1036,8 +1045,7 @@ xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED,
XMLSEC_ERRORS_R_INVALID_SIZE,
"xLen=%d > %d",
xLen, XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2);
- ECDSA_SIG_free(s);
- return(0);
+ goto err;
}
rSize = BN_num_bytes(s->r);
@@ -1049,8 +1057,7 @@ xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED,
XMLSEC_ERRORS_R_INVALID_SIZE,
"size(r)=%d or size(s)=%d > %d",
rSize, sSize, xLen);
- ECDSA_SIG_free(s);
- return(0);
+ goto err;
}
memset(sig, 0, xLen * 2);
@@ -1058,8 +1065,13 @@ xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED,
BN_bn2bin(s->s, sig + (xLen * 2) - sSize);
*siglen = xLen * 2;
+ ret = 1;
+
+err:
+ if(order != NULL)
+ BN_clear_free(order);
ECDSA_SIG_free(s);
- return(1);
+ return(ret);
}
static int
@@ -1069,7 +1081,7 @@ xmlSecOpenSSLEcdsaEvpVerify(int type ATTRIBUTE_UNUSED,
void *ecdsa) {
const EC_GROUP *group;
unsigned int xLen;
- BIGNUM order;
+ BIGNUM *order = NULL;
ECDSA_SIG *s;
int ret = -1;
@@ -1088,7 +1100,17 @@ xmlSecOpenSSLEcdsaEvpVerify(int type ATTRIBUTE_UNUSED,
goto err;
}
- if(EC_GROUP_get_order(group, &order, NULL) != 1) {
+ order = BN_new();
+ if(order == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "BN_new",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto err;
+ }
+
+ if(EC_GROUP_get_order(group, order, NULL) != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"EC_GROUP_get_order",
@@ -1097,7 +1119,7 @@ xmlSecOpenSSLEcdsaEvpVerify(int type ATTRIBUTE_UNUSED,
goto err;
}
- xLen = BN_num_bytes(&order);
+ xLen = BN_num_bytes(order);
if(xLen > (XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1132,6 +1154,8 @@ xmlSecOpenSSLEcdsaEvpVerify(int type ATTRIBUTE_UNUSED,
ret = ECDSA_do_verify(dgst, dgst_len, s, ecdsa);
err:
+ if(order != NULL)
+ BN_clear_free(order);
ECDSA_SIG_free(s);
return(ret);
}
diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c
index 8a47ef7..7ce86e5 100644
--- a/src/openssl/signatures.c
+++ b/src/openssl/signatures.c
@@ -1318,7 +1318,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha224MdEvp = {
xmlSecOpenSSLEcdsaEvpSign,
xmlSecOpenSSLEcdsaEvpVerify,
/* XXX-MAK: This worries me, not sure that the keys are right. */
- {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA224,0,0,0,0},
+ {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA224,0,0,0},
SHA256_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
};
@@ -1415,7 +1415,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha256MdEvp = {
xmlSecOpenSSLEcdsaEvpSign,
xmlSecOpenSSLEcdsaEvpVerify,
/* XXX-MAK: This worries me, not sure that the keys are right. */
- {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA256,0,0,0,0},
+ {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA256,0,0,0},
SHA256_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
};
@@ -1512,7 +1512,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha384MdEvp = {
xmlSecOpenSSLEcdsaEvpSign,
xmlSecOpenSSLEcdsaEvpVerify,
/* XXX-MAK: This worries me, not sure that the keys are right. */
- {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA384,0,0,0,0},
+ {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA384,0,0,0},
SHA512_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA512_CTX),
};
@@ -1609,7 +1609,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha512MdEvp = {
xmlSecOpenSSLEcdsaEvpSign,
xmlSecOpenSSLEcdsaEvpVerify,
/* XXX-MAK: This worries me, not sure that the keys are right. */
- {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA512,0,0,0,0},
+ {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA512,0,0,0},
SHA512_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA512_CTX),
};
diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c
index 8a47ef7..3df4aa8 100644
--- a/src/openssl/signatures.c
+++ b/src/openssl/signatures.c
@@ -864,6 +864,7 @@ static const EVP_MD xmlSecOpenSSLDsaSha1MdEvp = {
{EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3,EVP_PKEY_DSA4,0},
SHA_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLDsaSha1Evp(void)
@@ -961,6 +962,7 @@ static const EVP_MD xmlSecOpenSSLDsaSha256MdEvp = {
{EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3,EVP_PKEY_DSA4,0},
SHA256_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLDsaSha256Evp(void)
@@ -1224,6 +1226,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha1MdEvp = {
{NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA1,0,0,0},
SHA_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLEcdsaSha1Evp(void)
@@ -1321,6 +1324,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha224MdEvp = {
{NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA224,0,0,0,0},
SHA256_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLEcdsaSha224Evp(void)
@@ -1418,6 +1422,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha256MdEvp = {
{NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA256,0,0,0,0},
SHA256_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLEcdsaSha256Evp(void)
@@ -1515,6 +1520,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha384MdEvp = {
{NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA384,0,0,0,0},
SHA512_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLEcdsaSha384Evp(void)
@@ -1612,6 +1618,7 @@ static const EVP_MD xmlSecOpenSSLEcdsaSha512MdEvp = {
{NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA512,0,0,0,0},
SHA512_CBLOCK,
sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+ NULL
};
static const EVP_MD *xmlSecOpenSSLEcdsaSha512Evp(void)
diff --git a/src/openssl/evp.c b/src/openssl/evp.c
index 54218a4..9cb52dc 100644
--- a/src/openssl/evp.c
+++ b/src/openssl/evp.c
@@ -1028,17 +1028,6 @@ static int xmlSecOpenSSLKeyDataEcdsaInitialize(xmlSecKeyDataPtr dat
static int xmlSecOpenSSLKeyDataEcdsaDuplicate(xmlSecKeyDataPtr dst,
xmlSecKeyDataPtr src);
static void xmlSecOpenSSLKeyDataEcdsaFinalize(xmlSecKeyDataPtr data);
-static int xmlSecOpenSSLKeyDataEcdsaXmlRead(xmlSecKeyDataId id,
- xmlSecKeyPtr key,
- xmlNodePtr node,
- xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int xmlSecOpenSSLKeyDataEcdsaXmlWrite(xmlSecKeyDataId id,
- xmlSecKeyPtr key,
- xmlNodePtr node,
- xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int xmlSecOpenSSLKeyDataEcdsaGenerate(xmlSecKeyDataPtr data,
- xmlSecSize sizeBits,
- xmlSecKeyDataType type);
static xmlSecKeyDataType xmlSecOpenSSLKeyDataEcdsaGetType(xmlSecKeyDataPtr data);
static xmlSecSize xmlSecOpenSSLKeyDataEcdsaGetSize(xmlSecKeyDataPtr data);
@@ -1869,17 +1858,6 @@ static int xmlSecOpenSSLKeyDataGost2001Initialize(xmlSecKeyDataPtr
static int xmlSecOpenSSLKeyDataGost2001Duplicate(xmlSecKeyDataPtr dst,
xmlSecKeyDataPtr src);
static void xmlSecOpenSSLKeyDataGost2001Finalize(xmlSecKeyDataPtr data);
-static int xmlSecOpenSSLKeyDataGost2001XmlRead (xmlSecKeyDataId id,
- xmlSecKeyPtr key,
- xmlNodePtr node,
- xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int xmlSecOpenSSLKeyDataGost2001XmlWrite(xmlSecKeyDataId id,
- xmlSecKeyPtr key,
- xmlNodePtr node,
- xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int xmlSecOpenSSLKeyDataGost2001Generate(xmlSecKeyDataPtr data,
- xmlSecSize sizeBits,
- xmlSecKeyDataType type);
static xmlSecKeyDataType xmlSecOpenSSLKeyDataGost2001GetType(xmlSecKeyDataPtr data);
static xmlSecSize xmlSecOpenSSLKeyDataGost2001GetSize(xmlSecKeyDataPtr data);
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
